Needlesstosay, we’re not very impressed by this, and I made this clear in my response to the bankers. (I am embarrassed to see I accidentally left Mike Bond off the list of authors of the No-PIN vulnerability. Sorry, Mike!) There is one piece of Christmas cheer, though: the No-PIN attack no longer works against Barclays’ cards at a Barclays merchant. So at least they’ve started to fix the bug – even if it’s taken them a year. We’ll check and report on other banks later.

The bankers also fret that “future research, which may potentially be more damaging, may also be published in this level of detail”. Indeed. Omar is one of my coauthors on a new Chip-and-PIN paper that’s been accepted for Financial Cryptography 2011. So here is our Christmas present to the bankers: it means you all have to come to this conference to hear what we have to say!

Security in finance transactions needs a complete overhaul – by people that actually understand real security, not people doing the minimum, then passing responsibility on to users who have no possibility of controlling the situation.

This kind of disclosure is of vital necessity. It shows the banks that their product is bad, it tells the public to be a lot more careful and a lot less trusting of banks.

Once a paper like this is published, and although [in this case] they apparently already knew about it for a year but didn’t fix it yet, they will now have to fix it or risk embarrassment and liable for damages if they don’t when it could be shown they knew of the problem but chose not to fix it.

Bankers only care for their big bonus pay outs and they hate being inconvenienced. They owe it to their customers, whom they have shown no reluctance to fleece, to fix their problems.

Thank you for your excellent work and your academic integrity. Bankers deserve no consideration because they are shown time and again to be bad actors when it comes to defending the needs of their customers. It’s not enough that they don’t care about the safety and security of the trust their customers place in them. Now they want to stifle academic research. It’s unconscionable that these people even have a job in this industry.

Well said. One can’t help thinking the banks are motivated to conceal and obfuscate, such information just so they can drag their feet fixing this while reducing cost (to them not defrauded customers) by casting doubt upon any claims of unauthorized transactions.

Read your response letter as I work at a lab too, I say this was a major missed opportunity.

What you should’ve said: ” Listen, your whole system is flawed and full of holes like a tennis racket made of swiss cheese. So for a start immediately buy our university department the following:
– One of each on their catalog [agilent.com]…
– And their’s [ni.com]…
– And their’s [fluke.com]…
…we’ll send back the ones we don’t need. That should cost you only 50-100 million (you might get a discount). Budget it as a long term investment into transaction systems.”

At least this is a recurring dream of mine. Oh well, back to the grind … calibrating old Tektronix oscilloscopes…

Very nice response, indeed. But this kind of “frank” replies might get you into trouble if it gets to a legal dispute. Although I don’t see any evidence that you might have played to the advantage of the receiving end of your letter, this kind of matters are best handled with consultancy of a lawyer – As I’ve learned of my own ;(

I just came here from Boingboing, and that was a fantastic letter. I don’t see why they aren’t snapping up Omar’s devices by the dozen and hailing him as a scholar-citizen whose interest is in patching holes to keep the banks and their customers safer–their PR departments must be asleep not to grab at opportunities to say, “we’re making our system safer, and this scholar, who could be any one of you, is a hero!”

It takes academics to stand up to errant bankers. Powerful corporations don’t seem to have the needed courage.
I fully expect them to first call up every single higher-up in the authority-chain in the University to try and pressure you to retract everything.
Might not be a gag order, but a few phone calls. If you can show a real benefit of this like getting a good name for the Univ or getting a patent or some implementation, and so on, that should suffice to keep the bankers away from pestering Univ bosses.
When they cannot do anything else – like suppressing media reports, writing false reports, etc, then they will hire someone or you to do the work.
Seeing how they reacted to Wikileaks, there is no telling how irresponsibly financial institutions could behave, if they can get away with it.

After reading the letter from the banking card association, I wound up snickering, at the end of the letter is the *hint* and veiled accusation that a student did something illegal in the course of research, which can best be described as:

Police Bait.

And watch as they go to the Met or someone else and say : “See? Bad, bad, bad, lets’ shut down the school.”

Make good products, you idiots. And let’s find the stupid CFO that said : “Nah, not worth fixing that, too much money.” and expose that.

If the banking card association were smart, they’d form an association with these researchers, exchange information & technology, let the students beat up on it and fix the problems. I’m sure Cambridge would be OK with some arrangement like a student finds a defect, everyone works on it, does a paper, and then the information is released after the fix.

This doesn’t happen now because the banks DO NOT LISTEN and wave lawyers around every time a university tries to be helpful. Idiots.

Excellent. Most of the time, I find the pomp and ceremony of academia mildly annoying, but situations like this remind me what all those fancy robes are for. When you need to make a stand on the basis of integrity, it’s helpful to be able to root yourself in a thousand-year-old tradition, funny hats and all.

This is a proud moment for Cambridge. Hopefully academic leaders elsewhere will take note.

I just wanted to say thank you for fighting censorship. This information deserves to be put out there, and corporations shouldn’t be able to bully their way out of a hole in their security. You have upheld academic integrity, and should be deserve to be commended for it.

Will Godrey makes the mistake of underestimating the banks. They understand security. Passing risk onto consumers helps make banks secure. Risk “management” does not mean reduction necessarily; not when you can share it around! Sadly they know exactly what they’re doing.

Hat off to you! I hope that does its bit to break the herd-mentality of bankers that brought to mind the Hitchhiker’s Guide to the Galaxy description of the Bugblatter Beast of Traal “…The Ravenous Bugblatter Beast of Traal is a creature that hails from the planet of Traal, and will eat anything. The beasts are impossible to kill. To deal with a beast, one should wrap a towel around one’s own head. This creature is so mind-bogglingly stupid that it assumes that if someone cannot see it, then it cannot see the person…”

It is indeed sad that Melanie Johnson should be reduced to being a stooge for a bankers lobby organization. She has strong connections with Cambridge and is a best mate of ex-MP Anne Campbell so should know better than this clumsy attempt at censorship.

Excellent! I am so pleased that banks’ secrecy of security issues has been exposed in such a manner. I have long thought they are too sneaky and self serving to truly maintain our interests…this was confirmed earlier in the year when I was a victim of pin-number card fraud whilst travelling. (It took a months, numerous complaints and e-mails to convince them it was not my fault.) Furthermore, it is refreshing to be reminded of the professional and unwavering stance that all academic institutions should aspire.

I wanted to write a tiny rant about how sad it is that big companies lost their mid-term and long-term steering capabilities and only seem live in 90 day intervals, but others have done this already in a more elaborate way.

In fact, you should continue publishing security flaws if you find one *and* make know to the bankers that this will continue on and on, if they continue thinking that security is to be bought by pieces and eternally available afterwards.

Instead, it is a process of continuously improving.
At least it should be.

“It is indeed sad that Melanie Johnson should be reduced to being a stooge for a bankers lobby organization.” – oh come ON! She was undersecretary of state at the DTI when the Copyright Directive was being implemented, and therefore the source of some of the worst stonewalling letters to issue from a British Government.

According to her letter, “Concern has been expressed to us by the police”. We’re not told if that concern was specifically elicited by the UK Cards Association, and what is the concern supposed to have been about? “Falsifying a transaction”. What does that *actually* mean? Does it actually involve some sort of criminal activity? No, it’s just a way of getting an insinuation of criminality into her letter. I hope the police are happy with the use of their good name in a scurrilous and censorious attempt to suppress commercially inconvenient research.

Recently academics in Cambridge fought off an attempt to reform Statute U, this is the statute that offers protection of academic freedoms. This example of an attempt by major corporations to gag academic publications because they find the content to be against their liking is precisely why we were right to defend our right to publish. Sadly other UK academic institutions were not so successful in fighting reforms to their own model statutes on academic freedoms so perhaps an attempt at censorship might have been more successful elsewhere in the UK.

2: I appreciate that there is still a University in existence that has not been reduced to the status of complete corporate stooge. The U. S. has managed to destroy the integrity of all but a very few of our universities, and I am only giving those the benefit of the doubt until they prove their true colors.

3: The U. S. already has a legal gag rule on this sort of thing called the DMCA – that is not the official name, but might as well be. Good luck with preventing the same sort of stupidity from killing you – the attempt has been made, and is continuing. I would expect that somebody is already making the case that you have violated the DMCA and should be extradited, or at least arrested should you ever make your way over here – we have already had some cases of this sort. You might want to think about this if you ever feel the need to travel this way.

These institutions need to realise that research into the foibles of their products is beneficial. I’d imagine it saves them a lot of time and money having to do it themselves or find out the hard way after a large co-ordinated assault on their infrastructure.

While I wholeheartedly echo the sentiments of those who found the response to the UK Cards Association deeply satisfying, I fear that the many posters applauding what they see as a refusal to knuckle under to the demands of the financial sector have missed the point, clearly made in the response. Even had there been a willingness to sensor Omar Choudary’s work, it would not have been within the power of the University to do so for two reasons: 1) the University has no key to that particular stable door and 2) the horse had long ago bolted.

For me, it’s these very points, which highlight the stupidity of the Association’s demands and its evident desire to find someone, anyone, to blame for a problem created by its own incompetence, which make the rational response to its foot-stamping all the more succulent. After all, there are few things more satisfying than watching pomposity skillfully, and with dignity, being deflated.

@John Collins: Melanie Johnson’s case of a politician turned financial industry exec shows how City revolving doors work. This kind of closeness between the financial industry and the politicians (of whatever persuasion) is the major cause why bankers who engineered the current crisis will never face justice (or even be investigated in a way common criminals should be investigated).

I’m a little late getting to this article (Christmas and no InterWeb, another story) and upon reading it I see my initial thoughts were captured by Martin Emmerich. Martin highlights the false premise of “security by obscurity” or as I was taught in the early 80’s “no security simply by obscurity”.

History is littered with examples of this fallacious argument. To me the best example was the American WWII Atomic Weapons Program where not event Vice President Truman knew of the weapons existence until he became President but Stalin was well informed and probably knew of the Manhattan Project before Truman. At the time the Americans believed that even if the Soviets knew of the atomic weapon they would not be cable of constructing one for at least a decade or more and they (the Americans) would have a decade or two to consolidate their hegemony. History says otherwise.

Closer to home we can even measure how false this argument is in monetary terms. How much money would we (UK, http://www.gchq.gov.uk/history/pke.html) raise each year if we had patented asymmetric (Public-key) encryption and charge a penny per transaction instead of trying to keep its possibility a secret?

If Omar had not put his MPhil online it would have ended up in the department’s library, the UL and perhaps BL. The bankers would know nothing about it. But a clever bad man into this type of stuff could make the odd visit to these libraries to see what is cutting edge technology. The rest is simple.

Obviously Omar should put his research online if for no other reason than to protect the bankers. No point in him just sending them his MPhil because, as is clear from the UK Card Association letter, they would claim they have everything under control and do nothing.

Absolutely chuffed beyond all previous bounds of chuffedness that you’re standing your ground for citizens who are beholden to the banking industry’s power over them, and for the proper values of education.

The IBAN code contains two check digits validating the rest according to a single-level algorithm. It’s supposed to make miskeying virtually impossible. Unfortunately any miskeying creates a random integer and one random integer in 97 passes the check digit test.

Indeed, Intelligent Finance was so ignorant about the use of such techniques it simply assigned a constant to the field for all customers, issuing every one of its customers a completely incorrect IBAN.

After losing several thousand pounds before my new card was even “activated”, I salute you and your students. Facing foreclosure, I wad forced to pay up. What a discgraceful excuse for a “security” system.

Well done Prof Anderson for your activities! This is the sort of thing that won the war! I try my hardest to refuse to use this abomination of technology but I can’t. Simply looking over customers shoulders is enough to crack their PIN in any supermarket. If I’m doing it without even thinking about it, surely there are more nefarious types doing it for criminal gain. A simple two man attack wouldn’t be difficult to organise; one with a mobile (cell) phone capturing the PIN, another in the car park with a baseball bat…

Computer Science is hardcore stuff as the UKCA should know. 8 lines for a postal address is a bit long, don’t you think?

Hi Prof Anderson… I just listened to your interview on Radio 4 with Melanie Johnson and thought you did a great job.

It’s a shame that you weren’t given the time to answer Ms Johnson’s fatuous closing remarks, but she didn’t do herself or her industry any favours by incessantly spinning and refusing to give a straight answer to any question. In fact, I thought she did a good impression of Michael Howard in the infamous Paxman interview.

What I didn’t get round to saying was that Melanie was the Treasury minister who pushed the Financial Services and Markets Act 2000 through Parliament. This not only damaged banking regulation, by splitting it between the Bank of England, the FSA and the Treasury, but established the dreadful Financial Ombudsman Service which seems rather ready to find for the bank and against the customer in disputes.

I share completely your view on the Financial Ombudsman Service. As I researched their tactics to dismiss a valid customer complaint is as follows:

1. Disregarding facts and points of complaint that would make it valid.
2. Using fantasy to invent new “facts” that are not even included in the original complaint.

Then dismiss such a distorted and ridiculous complaint (that has very little to do with the original one). It transpired from my research, that it looks quite likely that the FOS staff is trained with such crude and not entirely honest methodology.